Panic like it's 1999: Microsoft Office macro viruses are BACK

VBA IS NOT DEAD, shrieks infosec chap


Macro viruses involving infected Word and Excel files were a plague in the late 1990s. Yet, like grunge music, the genre fell into decline as techniques and technologies moved on. More recently macro viruses have staged something of a revival, thanks to social-engineering trickery.

Windows executable malware has dominated macro viruses written in VBA (Visual Basic for Applications) since the turn of the century.

Users opening an infected document were exposed to malicious code that infected Windows PCs. The macro virus would spread into a user's Office template files before sneaking copies of itself into any subsequently edited documents. Examples of macro-based malware include the fast-spreading Melissa email worm from 1999.

Security improvements in Microsoft Office products blocked many such attacks, propelling macro viruses towards extinction in the process.

Yet recently macro malware has been making a return. Security researcher Gabor “Szappi” Szappanos of Sophos reports that more than half of the document-based attacks seen recently contain VBA macros aimed at tricking the user, rather than more esoteric exploit code designed to trick Office itself.

Miscreants are using social engineering rather than exploiting software bugs and built-in security shortcomings to push the latest generation of macros.

"Crooks often use the presence of macros in their documents as an excuse to suggest that the document is more secure than usual, claiming that the document is somehow 'protected' until you enable macros to decrypt or unscramble it," explains anti-virus veteran Paul Ducklin in a post on Sophos' Naked Security blog.

Szappanos' research on the revival of macro viruses can be found in an article by Virus Bulletin, entitled VBA IS NOT DEAD!, here.

Security software ought to catch the latest generation of macro viruses in most cases - but it would be foolhardy to rely on this line of defence. Szappanos offers a fool-proof way of avoiding infection - disabling macros: "There is no justification as to why the content of a document can only be displayed properly if the execution of macros is enabled. If you receive a document with this advice, be aware: you are probably being attacked." ®

Similar topics


Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading

Biting the hand that feeds IT © 1998–2022